An EVM-equivalent Layer 1 where balances, amounts, and contract state live under protocol-level threshold FHE — confidential by construction, verifiable by anyone, with a ZK shielded pool for trustless privacy.
Privacy on Celar is not an add-on contract — it is the protocol's data plane. Every tier is specified against explicit adversary classes, with a published leakage matrix instead of adjectives.
Amounts, balances, and contract values are TFHE ciphertexts evaluated on-chain via programmable bootstrapping. ConfidentialERC20 out of the box.
Dual-key stealth addresses (ERC-5564 pattern) give every payment a fresh one-time address; bonded relayers obfuscate senders.
A Groth16 shielded pool over BLS12-381: sender, recipient, and amount privacy that survives even a fully colluding validator set.
Standard EVM semantics, Solidity toolchain, address model, and JSON-RPC. Confidential features enter only through precompiles — existing contracts, wallets, and tooling work unmodified.
euint8…euint64 and ebool via a TFHE.sol standard library; handles in storage, ciphertexts in the FHE data plane.import {TFHE, euint64, ebool} from "celar/TFHE.sol"; contract ConfidentialVault { mapping(address => euint64) private bal; function transfer(address to, euint64 amt) external { ebool ok = TFHE.and( TFHE.le(amt, bal[msg.sender]), // funds check TFHE.le(amt, TFHE.sub(MAX, bal[to])) // overflow guard ); euint64 m = TFHE.select(ok, amt, ZERO); bal[msg.sender] = TFHE.sub(bal[msg.sender], m); bal[to] = TFHE.add(bal[to], m); // no revert, no branch, no leakage — // outcome visible only to the owner via re-encryption } }
Every confidential transfer is consensus-valid whether or not it succeeds. Uniform gas tier, no revert, no event difference — an external observer learns nothing from the outcome.
Encrypted comparison: does the sender have the funds? The answer stays encrypted.
A second encrypted check protects the recipient balance; ok = ok₁ ∧ ok₂.
The moved amount is the value — or an encrypted zero. No branch ever executes.
Balances update identically in both worlds. Only the sender learns the outcome, via self re-encryption.
The TFHE secret key exists only as shares across a 100-seat committee. Decryption and re-encryption require a 79-seat quorum, every action is attributable and slashable, and the capture bound is constitutional — governance cannot weaken it.
A robust distributed key generation with published transcripts and on-chain complaint resolution produces linear shares — plus the CRS for input proofs. Misbehaving parties are excluded before genesis.
Authorized reveals combine t partial decryptions, each flooded with calibrated noise so repeated decryptions stay safe under adversarially influenced ciphertexts (IND-CPA-D), with per-epoch query budgets.
Shares refresh every epoch; old shares become useless. An adversary must corrupt ≥ 79 seats within a single epoch. Committee seats rotate on staggered 25-epoch terms via a domain-separated VRF beacon.
Every partial decryption is a signed, self-contained fraud proof — unauthorized service is severely slashed. Disaster recovery is a sealed resharing-only quorum behind an on-chain, timelocked activation predicate: public by construction, never covert.
Most privacy chains market adjectives. Celar publishes a consolidated leakage matrix against named adversary classes — including its declared v1 non-goals.
| Data item | Public tier | FHE tier (v1) | ZK pool (v2) |
|---|---|---|---|
| Amount | Visible | Hidden* | Hidden |
| Balances / state | Visible | Hidden* | N/A — notes |
| Sender identity | Visible | Relayer-obfuscated | Hidden |
| Recipient identity | Visible | One-time stealth addr | Hidden |
| Transfer success / failure | Visible | Hidden — branchless | Contents hidden |
| Contract call target | Visible | Visible — v1.x roadmap | N/A — pool precompile |
Issuance, staking, and the privacy guarantee are bound together by a published health rule: the cost of corrupting a decryption quorum must stay at least 2× the value shielded on-chain — recomputed continuously, constitutionally enforced.
BFT safety under f < n/3 with instant finality; the supply invariant is machine-checked every block.
Amounts, balances, and contract state stay hidden against any coalition below the 79-seat quorum.
Stealth addresses and relayer indirection reduce the observer's view to relayer, one-time address, tier, and time.
Shielded-pool anonymity holds even if every validator colludes — cryptography, not committee trust.
Total supply is publicly verifiable at all times: encrypted state can never mint or hide inflation.
Every decryption requires owner or contract authorization; violations are attributable and slashable, and the only recovery path is public-by-construction.